Securing the Future of the Digital Economy
The infrastructure of the digital economy is now in many ways the infrastructure of the economy as a whole – many businesses would find it as difficult to function without computers and the Internet as their forebears would have done without roads and railways. Given this, it is striking how technologically little changed in how our digital infrastructure is actually built. The speed, power and storage capacity of computers have all improved dramatically over recent decades, but the underlying architecture, the way they operate, is surprisingly similar. The number of transistors on a chip has gone from a few thousand in 1971 to several billion, but a computer engineer from the 1970s would have little difficulty in comprehending the main components inside a modern smartphone and the way software is run on the platform.
Partly as a consequence, the digital economy remains alarmingly vulnerable, with deep-seated design choices made in the 1970’s or before still apparent and leaving software vulnerable. As the internet has become ever more embedded in organisations, so has the scope for hostile hacks, cyber attacks and data breaches. The Wannacry ransomware attack of 2017 affected a third of NHS trusts and the cancellation of approximately 7000 appointments, while in 2018 some 40,000 Ticketmaster customers had their credit card details stolen. Extend this to delivery of the billions of devices anticipated in the realization of the Internet of Things, and impacts of cyber vulnerability become really scary. Such attacks are typically either purely as a result of bad management of a system, or increasingly more, due to a bug in software being used as a gateway into a system and its data. Responding to public concern, regulators are taking an increasingly tough line – British Airways was recently fined a record £183 million for failing to prevent the data from half a million of its customers being leaked. In total, it has been estimated that the UK cost of cybercrime in 2016 was some £26bn.
Many businesses and government bodies could do more to protect themselves, but the vulnerabilities introduced by holes in software is not an issue that any single organisation can solve. From chip designers and manufacturers through platform builders, through to software houses, internet service providers, database producers and application platforms, the digital economy value chain is a complex one, with many different companies, technical standards and operating systems. The opportunity for increased protection in the hardware design is a commercial and impact chasm away from the users that are being effected by data breaches and cyber attacks.
The scale and the nature of the problem was recognised by national government through a initiative proposed by Arm Limited, a global company headquartered in the UK and responsible for shipping over 22 billion computer designs during 2018. Through the Industrial Strategy Challenge Fund, the government responded through the announcement of the Digital Security by Design Challenge, a major collaborative R&D programme. This will provide up to £70m of government funding, backed up by further investment from industry, in order to radically update and improve the foundations of computing infrastructure.
Crucially, the aim of the challenge is not simply to protect the UK’s digital economy. Rather, it is for the country to build on its current leadership in cyber security, and become the acknowledged leader in delivering more secured products and services. Shifting the current norms around hygiene best practice and monitoring, to one in which purchase decisions are made with respect solutions that are more secure from the outset.
The fundamental concepts around how a processor at the centre of all digital systems can be modified and further protect software from errors within itself, and from others attempting to leverage these vulnerabilities, is based on the results of 10 years of research led by the Computer Lab at the University of Cambridge through a program known as CHERI.
To deliver the objectives of the Digital Security by Design challenge, a number of funding competitions will be made covering various aspects of the digital value chain, starting with the goal of creating a hardware platform prototype in which a mainstream processor technology, for example from Arm, needs to be updated to updated to include CHERI-like security technologies. Further, innovations from across system software, runtime environments and tools from the world leading UK research base and businesses with the technologies and expertise to lead the research and developments will be funded to help “design out” many class of cyber threat. Such requiring the any collaboration to include the various social and economic factors.
All of this represents a significant vote of confidence in the UK’s existing research strengths, and an unprecedented level of targeted investment. Through EPSRC, ESRC, Innovate UK and KTN, there will be an ongoing programme of events, networking events and briefing opportunities to ensure that all businesses, including start-ups, and academic researchers will be able to benefit, and to bring their expertise to bear on one of the greatest challenges that the modern economy faces.